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OES 2 SP3: Novell AFP For Linux Administration Guide 


About This Guide 


This guide describes how to use the Novell Apple Filing Protocol (AFP) service on a Novell Open 
Enterprise 2 SP3 to access and manage Macintosh systems. 


This guide is divided into the following sections: 


+ Chapter 1, “Overview of AFP,” on page 9 

+ Chapter 2, "What's New,” on page 13 

+ Chapter 3, "Planning and Implementing AFP,” on page 15 

+ Chapter 4, "Installing and Setting Up AFP” on page 17. 

* Chapter 5, "Administering the AFP Server," on page 23 

* Chapter 6, "Migrating AFP from NetWare to OES 2 SP3 Linux," on page 33 
* Chapter 7, "Running AFP in a Virtualized Environment," on page 35 

* Chapter 8, "Configuring AFP with Novell Cluster Services for an NSS File System," on page 37 
* Chapter 9, "Working with Macintosh Computers," on page 43 

* Chapter 10, "Monitoring the AFP Server," on page 49 

* Chapter 11, "Auditing the AFP Server," on page 51 

+ Chapter 12, "Troubleshooting AFP” on page 53 

+ Chapter 13, “Security Guidelines for AFB” on page 57 

+ Appendix A, “Command Line Utilities for AFP” on page 59 

* Appendix B, "Comparing AFP on NetWare and AFP on Linux," on page 61 


Audience 


The audience for this document are network administrators. This documentation is not intended for 
users of the network. 


Documentation Updates 


For the most recent version of the Novell AFP Linux Administration Guide, see the Novell Open 
Enterprise Server 2 SP3 Documentation (http://www.novell.com/documentation/oes2/). 


Feedback 


We want to hear your comments and suggestions about this guide and the other documentation 
included with Novell OES. Please use the User Comment feature at the bottom of each page of the 
OES online documentation. 


Additional Documentation 


For information about AFP on NetWare, see the NW 6.5 SP8: AFP, CIFS, and NFS (NFAP) 
Administration Guide. 
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1.1 


Overview of AFP 


Novell Apple Filing Protocol (AFP) for Linux operating systems is provided with Novell Open 
Enterprise Server (OES) 2 SP1 and later versions. AFP is a network protocol that offers file services 
for Macintosh clients. OES 2 SP3 Linux currently supports AFP version 3.1. 


+ Section 1.1, "Understanding AFP,” on page 9 

+ Section 1.2, "AFP Features and Capabilities," on page 10 
* Section 13, "Limitations," on page 11 

+ Section 1.4, "What's Next,” on page 11 


Understanding AFP 


Novell AFP (Apple Filing Protocol) lets Macintosh workstations access and store files on OES 2 SP3 
without installing any additional software. The AFP software is installed as part of OES and provides 
out-of-the-box network access. You can connect the network cable, start the Macintosh computer, and 
you have access to servers on your network. 


Novell AFP enables the Linux server to use the same protocol as the client workstation to copy, 
create, delete, move, save, and open files on a Macintosh workstation. 


Figure 1-1 Novell AFP Overview 


OES 2 Linux Server 


AFP 


AFP AFP. AFP. 


bop 


Apple PC Apple PC Apple PC 


Enabling native protocols on a Linux server means that users can access files on the network, map 
network drives, and create shortcuts to the Linux servers by using the native methods available in 
their specific operating systems. Macintosh users can use Chooser or the Go menu to access network 
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files and even create aliases. The native protocols that run on a Linux server enables the users to 
seamlessly copy, delete, move, create, save, and open network files — just like they would if they were 
working locally. 


AFP also provides integration with Novell eDirectory. Consolidation of user management through 
eDirectory simplifies network administration. All users who need access to the network are 
represented in eDirectory through User objects, which enables you to easily and effectively assign 
trustee rights, control access, and manage all user objects from a single location on the network. 


Novell AFP is currently supported only on the NSS file system and it can be used for accessing files 
on NSS volumes. 


1.1.1 AFP and Universal Password 


Universal Password helps in management of password-based authentication schemes.Each AFP user 
must be Universal Password enabled to be able to log in to the AFP server. 


The Universal password is not enabled by default. 


For details on Universal Password, see Novell Password Management (http://www.novell.com/ 
documentation/password management32/pwm administration/index.html?page-/documentation/ 
password management32/pwm  administration/data/bookinfo.html) 


1.2 AFP Features and Capabilities 


AFP has many features that can help you manage users, workstations, and networks. 
+ AFP parameter configuration and administration through iManager. For more information, see 
Chapter 5, "Administering the AFP Server," on page 23. 
* Support for Macintosh OS 10.3, 10.4, 10.5, and 10.6. 
* Integration with Novell eDirectory. 


* Migration capability from NetWare to SuSe Linux Enterprise Server. For more information, see 
Chapter 6, "Migrating AFP from NetWare to OES 2 SP3 Linux," on page 33. 


+ Cross-Protocol File Locking support between AFP, CIFS, and NCP. For more information, see 
“Novell AFP Supports Cross-Protocol File Locking with NCP for NSS Volumes". 


* Auditing support for File Access activities. For more information, see Chapter 11, "Auditing the 
AFP Server," on page 51. 


* Bonjour support for the AFP service discovery using the Bonjour protocol. 


* Auditing and Monitoring support. Auditing framework helps you to monitor the authentication 
process and the Monitoring framework helps you assess the performance of the AFP server. For 
more information, see Chapter 11, "Auditing the AFP Server," on page 51 and Chapter 10, 
“Monitoring the AFP Server,” on page 49. 


* Support for Unicode filenames. 
* Support for Universal Passwords longer than 8 characters. 


* Clustering support for high availability. For more information, see Chapter 8, "Configuring AFP 
with Novell Cluster Services for an NSS File System," on page 37. 
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1.3 


1.4 


Limitations 


If you restart eDirectory, ensure that you restart AFP service using the rcnovell-afptcpd restart 
command or through iManager. 


What's Next 


For information on new features in this release of AFP see, Chapter 2, "What's New,” on page 13 
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2.1 


2.2 


What's New 


This section describes additions to the Novell Apple Filing Protocol (AFP) service for the Novell 
Open Enterprise Server 2 SP3 Linux platform while maintaining feature parity with the existing 
solution on the NetWare platform. 


* Authentication: Authentication is now done using NMAS method. 


* AFP does not require proxy user for user authentication from OES2 SP3 onwards. 


What's New (OES 2 SP3 April 2013 Patches) 


Upgrade to eDirectory 8.8.7 


An upgrade to Novell eDirectory 8.8 SP7 is available in the April 2013 Scheduled Maintenance for 
OES 2 SP3. For information about the eDirectory upgrade, see TID 7011599 in the Novell 
Knowledgebase. 


There will be no further eDirectory 8.8 SP6 patches for the OES platform. Previous patches for Novell 
eDirectory 8.8 SP6 are available on Novell Patch Finder. 


What's New (OES 2 SP3 January 2013 Patches) 


Upgrade to Novell iManager 2.7.6 


The January 2013 Scheduled Maintenance for OES 2 SP3 includes a channel upgrade from Novell 
iManager 2.7.5 to Novell iManager 2.7.6. 


Novell iManager 2.7.6 provides the following enhancements: 


* Microsoft Internet Explorer 10 certification in the desktop user interface view on Windows 8 
excluding Windows 8 RT) and Windows Server 2012. 


* Apple Safari 6.0 certification on Mac OSX Mountain Lion (version 10.8). 
* iManager Workstation certification on Windows 8 Enterprise Edition (32-bit and 64-bit). 
* iManager 2.7.6 support for Tomcat 7.0.32. and Java 1.7.0, 04 versions. 


iManager documentation links in this guide have been updated to reflect this change. 


iManager 2.7.6 documentation is available on the Web. For earlier iManager versions, see Previous 
Releases. 
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2.3 


2.4 


New Novell Cluster Services Plug-in for iManager 2.7.5 and Later 


The Clusters plug-in for Novell ¡Manager 2.7.5 or later supports the management of OES and 
NetWare clusters and resources. The availability of different cluster management features depends 
on the version of Novell Cluster Services and the server platform that are installed on the cluster 
being managed. A comparison of the old and new interface is available in "What's New (January 
2013 Patches)" in the OES 2 SP3: Novell Cluster Services 1.8.8 Administration Guide for Linux. 


OES Client Services Support for Mac OS X 10.8 and Safari 6.0 


In the January 2013 Scheduled Maintenance for OES 2 SP3, OES client services added support for 
user access from Mac OS X Mountain Lion (version 10.8) clients, with the exception of Domain 
Services for Windows (DSfW) and Novell iFolder: 


* DSfW was not tested with Mac OS X 10.8 clients and does not support them. DSfW support for 
Mac OS X 10.8 clients is planned for a future release. 

+ The iFolder client does not run on Mac OS X 10.8 clients and does not support them. Web-based 
client access is supported for the Apple Safari 6.0 Web browser on Mac OS X 10.8 clients. 


Safari 6.0 is not supported by DSfW and iFolder. 


What's New in the October 2011 Patch Release 


+ Mac clients(10.5.x or later versions) can authenticate to AFP server using DHX2 authentication 
mechanism. 


What's New in the August 2011 Patch Release 


With the release of the August 2011 patches for OES 2 SP3, the base platform has been upgraded to 
SLES 10 SP4. 


SLES 10 SP4 support is enabled by updating OES 2 SP3 servers with the move-to-sles10-sp4 patch. 
Novell encourages customers to update to this latest set of patches. For more information, see 
"Updating (Patching) an OES 2 SP3 Server" in the OES 2 SP3: Installation Guide 


SLES 10 SP4 is considered a lower-risk update that contains a set of consolidated bug fixes and 
support for newer hardware. It does not impact the kernel ABI or third-party certifications. 


With the release of the August 2011 patches, OES 2 SP2 customers who upgrade to OES 2 SP3 via the 
move-to patch will receive the SLES 10 SP4 updates. New installations of OES 2 SP3, migrations to 
OES 2 SP3, and down-server upgrades to OES 2 SP3, should all be performed using SLES 10 SP4 
media. 
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3.1 


3.1.1 


3.1.2 


3.2 


3.3 


Planning and Implementing AFP 


This section describes requirements and guidelines for using the Novell Apple Filing Protocol (AFP) 
for Novell Open Enterprise Server (OES) 2 SP3. 


* Section 3.1, "Supported Platforms," on page 15 

* Section 32, "Requirements," on page 15 

* Section 33, "Antivirus Support," on page 15 

* Section 3.4, "Unsupported Service Combinations," on page 16 


* Section 3.5, "What's Next," on page 16 


Supported Platforms 


Before installing AFP, ensure that your system meets the following requirements. 


* Section 3.1.1, "Server Requirements," on page 15 


+ Section 3.1.2, "Client Requirements," on page 15 


Server Requirements 


O OES 2 SP1 Linux or later 


Client Requirements 


O Macintosh 10.3 or later 


Requirements 


O If your eDirectory replica is stored on an eDirectory server earlier than 8.8.3, make sure that you 
upgrade the server by using the Security Services 2.0.6 patch (http://download.novell.com/ 
Download?buildid-LYIbZM Aom6k-). 


O The AFP server requires at least one Read/Write replica in an eDirectory tree with NMAS 
version 3.2 or later. 


Antivirus Support 


The Apple Filing Protocol (AFP) support for NSS files on OES 2 SP3 Linux is implemented via a 
technology that bypasses the real-time scanning employed by most OES 2 antivirus solutions. To 
protect NSS files that are shared through an AFP connection, set up an antivirus solution that 
supports on-demand scanning on the OES 2 server, or real-time and on-demand scanning on the 
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Apple client. For information about antivirus solution providers for OES 2, see the Novell Partner 
page (http://www.novell.com/documentation/oes2/oes implement Ix nw/?page-/documentation/ 
oes2/oes implement Ix nw/data/bnOtewl.html). 


3.4 Unsupported Service Combinations 


Do not install any of the following service combinations on the same server with Novell AFP. 
Although not all of the combinations cause pattern conflict warnings, Novell does not support any of 
the combinations shown. 


C] Netatalk 

C] Novell Domain Services for Windows 
C] Xen Virtual Machine Host Server 

C] DST Shadow Volume 

C] DES Junction 


3.5 What's Next 


To proceed with installation of AFP, see Chapter 4, "Installing and Setting Up AFB” on page 17 
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4.1 


Installing and Setting Up AFP 


This section describes how to install and configure the Novell Apple Filing Protocol (AFP) on a 
Novell Open Enterprise Server (OES) 2 SP3. 

+ Section 4.1, “Installing AFP during the OES 2 SP3 Installation,” on page 17 

+ Section 42, “Installing AFP after the OES 2 SP3 Installation,” on page 20 

* Section 4.3, "Installing AFP NMAS Methods,” on page 21 

+ Section 44, "Verifying the Installation," on page 21 

* Section 4.5, "What's Next," on page 22 


Installing AFP during the OES 2 SP3 Installation 


YaST uses a predefined system of installing components along with the associated dependencies. For 
a service to function properly, all the dependent products must be installed. Pattern deployment 
provides patterns for different services. Selecting a pattern automatically selects and installs its 
dependencies. 


1 In the YaST install for OES, on the Installation Settings page, click Software to go to the Software 
Selections page. 
For information about the entire OES 2 
installation process, see the OES 2 SP3: Installation Guide. 
2 From the OES Services option, select Novell AFP. Click Accept. 
The following additional services are automatically selected: 
* Novell Backup / Storage Management Services (SMS) 


SMS helps back up file systems or applications on NetWare and SUSE Linux Enterprise 
Server (SLES) to removable tape media or other media for off-site storage. 


* Novell eDirectory 
eDirectory supports authentication of users. 


* Novell Linux User Management (LUM) 


LUM is a directory-enabled application that simplifies and unifies the management of user 
profiles on Linux-based platforms. 


* Novell Storage Services (NSS) 


Novell Storage Services helps you manage pools, and volumes on a Novell Open Enterprise 
Server 2 server. 


Novell AFP supports only Novell Storage Services (NSS) volumes. 
* Novell Remote Manager (NRM) 


NRM for Linux is a browser-based utility that you can use to manage one or more Linux 
servers from a remote location. 
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By changing the action on 
ihe patterns shown in each 
category, you determine the 
role this computer will serve 
in vour network, such asa 
desktop, server, firewall or 
collaboration device 


The catgories listed and 
ihe patterns preselected for 
installation will vary 
according to the product 
you are installing or adding 
to the computer 


To view a description of a 
pattern in the righi pane, 
click a pattern 


To change ihe installation 
status of a pattern, click its 
associated icon on the left. 


To view the possible status 
icons and their associated 
meanings, rightclick a 
patern 


To view or change the 
installation status of 
individual packages in a 
selected pattern, click 
Details 


Important: Be sure to leave 
free disk space for system 
use. Full disk partitions can 
degrade system 
performance and even 


(M) Software Selection 


Server Base System 

LI Common Code Base 

Novell AppArmor 

L1 High Availability 

32Bit Runtime Environment 
Documentation 


Novell Archive and Version Services 
Novell Backup / Storage Management Serv. 
Novell CIFS 
Novell Cluster Services (NCS) 

Novell DHCP 

Novell DNS 

LI Novell Domain Services for Windows 
Novell eDirectory 

Novell FTP 

Novell ¡Folder 

Novell ¡Manager 

Novell ¡Print 

Novell Linux User Management (LUM) 
Novell NCP Server / Dynamic Storage Tec 
Novell NetStorage 


O Novell Pre-migration Server 


Details. 


El Novell AFP 


Novell AFP server allows Mac clients to access data stored on NSS volumes in the 
same way as they access data on a Mac OS X server 


This service selects and installs these services 
€ Novell Backup / Storage Management Services (SMS) 
* Novell eDirectory 
€ Novell Storage Services (NSS) 
* Novell Linux User Management (LUM) 
* Novell Remote Manager (NRM) 
This product will not coexist with the following Services 


* Novell Domain Services for Windows 


| Name | Disk Usage | | Used | Free jal 


7 1% 4768 2620 | 


op novell/nss/mn¥.pools/ARKPOOL Ci] 3% 40.0 MB 83.0 DES 
Jopt/novell/nss/mnt'.pools/DFS POOL 1 V ] 2% 23.6 MB MANT) 


foot ME 3% 401 MB 06m 


EN | KID 


3 To configure the AFP service, select the eDirectorv context on the Configuration page. 


NOTE: AFP configuration fails when the container admin tries to add the proxy user as a 
password reader to the password policy. Configuration fails as the container admin does not 
have the write rights to the password policies in the security container. Provide the container 
admin create rights on the password policy container and rerun the configuration. 
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Novell AFP Services AFP Configuration - Mac client access to NSS volumes 


Configuration 

Use this dialog to specify 
options for configuring an AFP 
server 


eDirectory Contexts 
Provide a list of contexts that are 
searched when the AFP user 
enters a username. The server 
searches through each context 
in the list until it finds the 
correct user object 


eDirectory Contexts 


| eDirectory Context | 


Back Abori 
Configuration Parameter Details 
eDirectorv Context Specifv the list of contexts to search for the AFP user, when 


the user enters the username. 


The context defines the position of an object within the 
directory tree structure. It is a list of container objects 
leading from the object to the root of the tree. 


Specifving the context preempts the need to specifv the 
FQDN (fullv qualified distinguished name) of the user. 


For example: If users exist in ou-users, provide the 
context. If there are any users in the ou=user1,ou=users, 
then it is not resolved. Again the context 
ou=user1,ou=users must be added explicitly. 


4 Click Next to continue with the ATP services installation. 
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4.2 


Novell AFP Services 
Configuration 

Use this dialog to specify 
options for configuring an 
AFP server. 


Select the Password 
Policies assigned to 
AFP Users 

Select all the password 
policies which are 
assigned to the AFP 
Users 


Novell AFP Service Configuration 


Select the Password Policies assigned to AFP Users: 


WE cn=AFP Default Policy,cn=Password Policies en-Secuntv) 


Back 


NOTE: Installing novell-afptcpd also installs Audit and starts auditd (Linux auditing daemon). 


Installing AFP after the OES 2 SP3 Installation 


If you did not install Novell AFP services during the OES 2 SP3 installation, you can install it later. 


1 Invoke YaST Control Center. In left panel under Groups section click on Open Enteprise Server 
link. The OES Install and Configuration link opens the Software Selection page. Now select Novell 


AFP. Click Accept. 


Installation starts. 


After the install is finished, YaST displays a summary page indicating that AFP configuration is 
enabled. All the configured services are disabled in this page. 


3 Select AFP to proceed with the configuration. 
4 Specify the configuration details according to instructions in Step 3 on page 18 


5 Click Next to continue. 


NOTE: Post install of AFP, start Avahi daemon manually using /etc/init.d/avahi-daemon start 
command. 
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4.3 


4.4 


Installing AFP NMAS Methods 


The AFP NMAS methods were introduced in OES 2 SP3 for secure authentication purposes. 


Installing AFP NMAS Methods During a Fresh Installation 


In case of a fresh installation you are not required to install the AFP NMAS methods. The methods 
are by default installed during the AFP server installation. 


Installing AFP NMAS During an Upgrade 


If you are upgrading from an OES 2 SP2 server or an OES 2 SP3 server to an OES 11 server, make sure 
you install the novell-afp-nmasmethods. rpm. 


Installing Patches for the AFP NMAS Method 


It is important to ensure that the AFP NMAS method installed has the latest update of patches. 
To install patches for the AFP NMAS method, run the following script: 
/opt/novell/afptpd/bin/install afp lsm.sh 


This script prompts you to enter the Tree Admin of the eDirectory user and the password for the Tree 
Admin. 


Verifying the Installation 


After the installation is done, you can verify that it succeeded using the following procedure: 


1 Check for the following files in the /etc/opt/novell/afptcpd directory: 
* afpdircxt.conf 
* afptcpd.conf 
* afpvols.conf 
2 Check the afpdircxt .conf file for the context added during installation. 
3 Check for the /usr/share/mof /novell-afp-providers/AFPServices.mof file. 


4 Check for the following libraries under /usr/lib/cmpi on a 32-bit system and /usr/1ib64/ 
cmpi on a 64-bit system: 


libAFPConfigProvider.so 
libAFPConfigProvider.so.1 


libAFPConfigProvider.so.1.0.0 


libAFPContextProvider.so 


libAFPContextProvider.so.1 


libAFPContextProvider.so.1.0.0 


libAFPServicesProvider.so 


libAFPServicesProvider.so.1 


Installing and Setting Up AFP 21 


4.4.1 


22 


4.5 


libAFPServicesProvider.so.1.0.0 


libAFPVolumeProvider.so 


libAFPVolumeProvider.so.1 


libAFPVolumeProvider.so.1.0.0 
5 Check for libafplcm. so library under opt /novell/lib on a 32-bit system and 
libafplinlcm.so library under /opt /novell/1ib64 on a 64-bit system. 


LCM(Login Client Module) is the NMAS client side component of an NMAS Login method. 
New AFP NMAS LCM is the shared object(.so) loaded by NMAS Client that is loaded into AFP 
Server address space. 


Verifying LSM Installation 


LSM installation can be verified either through iManager or Local File System. 


Verifying through iManager 


In iManager, click NMAS. Under NMAS Login Methods and NMAS Login Sequences, verify that 
afplinlsmis present. 


Verifying through Local File System 


+ Verify that a£plinlsm.sois present at /var/opt/novell/eDirectory/data/nmas-methods 
on a 32-bit system. 


+ verify that afplinlsm_x64.sois present at var/opt/novell/eDirectory/data/nmas-methods 
on a 64-bit system. 


+ Ona NetWare machine, verify that afplinlsm.nlmis loaded using m afplinlsm.nlm 
command. 


What's Next 


For details on administering the AFP service, see “Administering the AFP Server” on page 23. 
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Administering the AFP Server 


You can use Novell iManager to change the configuration of your AFP server after AFP services have 
been installed on Novell Open Enterprise Server (OES) 2 SP3 Linux. The AFP configuration details 
are stored in a configuration file on the Linux server, and iManager provides an easy interface for 
changing the configuration details. 


NOTE: Admin equivalent/container admin users should be LUM enabled to manage the AFP server 
through AFP iManager plug-in. 


+ Section 5.1, 'Selecting a Server to Manage,” on page 23 
+ Section 52, "Configuring General Parameters," on page 24 
* Section 53, "Configuring Volume Details," on page 28 


* Section 54, "Configuring Context Details," on page 30 


5.1 Selecting a Server to Manage 


1 Open an Internet browser and enter the URL for iManager. 


The URL is https:// server. ip address/nps/imanager.html. Replace server ip address with the IP 
address or DNS name of the Linux server running AFP. 


2 Enter your username and password. 
3 In the left pane, locate and select the AFP task. 
File Protocols 
AFP 


CIFS 


Samba 


4 Use one of the following methods to select a server in the tree where you are logged in: 


+ In the Server field, type the Novell eDirectory distinguished server name for the server you 
want to manage, then press the Tab key or click somewhere on the page outside of the 
Server field to confirm your selection. For example: 


afpserver.novell 


+ Click the Search icon 8 to open the eDirectory Object Selector. Browse or search the list to 
locate the server you want to manage, then click the server name. 


+ Click the Object History icon P! to select a server you have recently managed. 


5 Wait for iManager to retrieve information about that server and display the appropriate 
information to the task page you are in. It might take several seconds to retrieve the information, 
depending on the size of the data in the server. 
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The status of the server is displayed in the status bar below the Server text field. 


Table 5-1 AFP Server Status 


Button Description 

= Indicates that the AFP server is stopped. To start the server, click @ 

e Indicates that the AFP server is up and functional. To stop the server, click E 
al Click this button to view log details of the AFP server. 

el Click this button to save and load the configuration changes on the AFP 


server. This saves and loads configuration changes for all the parameters 
except for Authentication Mode and Reconnect Period. Anv change in these 
two parameters will require restarting of the AFP server. 


Reload doesn't affect the existing client connections to the AFP server. 


5.2 Configuring General Parameters 


The general parameters help vou define the securitv and rights features of the AFP server. 


1 Start vour browser (Internet Explorer 5 or later, Firefox, etc.) and specifv the URL for iManager. 


The URL is https:// server. ip address/nps/imanager.html. Replace server ip address with the IP 
address or DNS name of the Linux server running AFP. 


2 Enter your username and password. 
3 In the left column, select File Protocols, then click AFP. 
4 Select the General tab. 

The following details are displayed: 


+ Section 5.2.1, "Security and Rights," on page 24 

* Section 5.22, "Threads and Connections," on page 25 
* Section 5.2.3, "Version and Logging," on page 26 

+ Section 5.24, “Other,” on page 27 

* Section 5.2.5, "Rights to a File or Folder," on page 28 


5.2.1 Security and Rights 


The Security and Rights parameters let you define and set access permissions for the AFP server. 
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Security and Rights 
World No Rights Management 
O Allow Guest Login 
Guest User: | a à 
Sharing Rights: All v 


Authentication Mode: * | Diffie-Hellman v 


Table 5-2 Security and Rights Configuration Parameters 


Setting Description 
Allow Guest Login Select this option to allow users to log in as a guest. 
World No Rights Management Select this option to let users set permissions and give 


access to network directories and their contents to 
everyone (world). If this option is not selected, the AFP 
server ignores the Set Rights' requests coming from 
Macintosh clients, so the users cannot set permissions 
to give access to others. 


Sharing Rights Select this option to turn off fetching rights for the owner, 
groups, and everyone. Returns a set of default rights 
when queried. 


Authentication Mode Indicates the authentication mechanism to use. The 
supported methods are: 


* Two-Way Random Key Exchange 


* Cleartext 


* 


Random Exchange 


* 


Diffie Hellman 


Threads and Connections 


These parameters help you define the processing capabilities of the AFP server. 


Threads and Connection 

Minimum Threads: 3 (Minimum:3) 
Maximum Threads: 32 | (4 - 32768) 
Reconnect Period: * 1440 (2-1440 Minutes) 
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Table 5-3 Threads and Connections Configuration Parameters 


Setting Description 


Minimum Threads Indicates the minimum number of threads that should 
be set for the afptcpd daemon to start. 


The default value is 3. This value is set during 
installation. 


Maximum Threads Indicates the maximum number of threads that the AFP 
server can support. 


The maximum number of threads that can be supported 
is 32768. 


Reconnect Period Indicates the number of minutes the AFP server waits 
before attempting to reconnect. 


The minimum waiting time is 2 minutes and can extend 
up to 24 hours. 


5.2.3 Version and Logging 


These parameters help you define the logging capabilities of the AFP server. 


Version and Logging 


AFP Version: [AI v 
Enable Log 
Enable Status 
Enable Debug 
Enable Error 


CI Auditing 


AFP makes use of svslog daemon for logging. This daemon keeps track of the log file that it writes to 
in the event of renaming the log file or changing the location of log file. 


Table 5-4 Version and Logging Configuration Parameters 


Setting Description 
AFP Version Indicates the AFP versions that the AFP server can 
support. 


If you select A//, AFP versions 2.2, 3.0 and 3.1 are 
supported. 
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5.2.4 


Description 


Setting 


Select this option to turn the logging feature on and 


Enable Log 


Enable Status 


Enable Debug 


Enable Error 


Auditing 


add an entrv to the log file. 


When logging is activated, AFP error messages are 


written to the /var/log/afptcpd/afptcp.1log file. 


Select this option if you want status messages to be 
recorded in the /var/log/afptcpd/afptcp.log 
file. 


Select this option if you want debug messages to be 
recorded in the /var/log/afptcpd/afptcp.log 
file. 


Select this option if you want error messages to be 
recorded in the /var/log/afptcpd/afptcp.log 
file. 


Select this option, check the authentication process 
and any changes that occur to the configuration 
parameters of the AFP server. Details of any changes 
that occur are recorded in the /var/log/audit/ 


audit .. log file 


Other 


These parameters let vou define the search parameters and unload behavior of the AFP server. Novell 
AFP supports only Novell Storage Services (NSS) volumes. 


Other 


M Export All Volumes 


OK | _ Cancel 


Table 5-5 Other Parameters 


Description 


Setting 


Export All Volumes 


When this option is selected, all the NSS volumes on the 
server are exported. 


When this option is deselected, only the volumes listed in 
the afpvols.conf file are exported. 


NOTE: When the Export All Volumes option is turned off, 
specifying the alternate name is not mandatory. The volume 
name is displayed for export. However, if the alternate 
name is specified, then the alternate name of the volume is 


displayed for export. 
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5.3 


IMPORTANT: When OES2 SP1 AFP iManager plugin tries to manage a OES2 SP2 AFP server, while 
configuration settings like CROSS PROTOCOL LOCKS, NO_UNLOAD_TIME_CHECK, and 

NO COUNT ON. OFFSPRING cannot be managed as these options are removed from OES2 SP2 
AFP server onwards. Similarly, the new settings GUEST. USER and EXPORT ALL VOLUMES added 
in OES2 SP2 AFP server onwards cannot be managed by OES2 SP1 AFP iManager plugin. 


Specifying alias names for volumes in afpvols.conf file is mandatory in OES2 SP1. However, it is 
optional in OES2 SP2 onwards. Hence when an OES2 SP1 AFP iManager plugin tries to use the 
volume management feature of an OES2 SP2 AFP Server onwards, it is mandatory to specify the alias 
name for the volumes. 


Rights to a File or Folder 


Returning rights to a file or a folder by AFP server is controlled through the rights configuration 
parameter. There are three options - All, Default, and No. If you do not wish to use the All parameter 
option, then set the option to Default or No option. The following lists the details for the configuration 
parameters: 


+ By setting the Rights parameter to No, rights returned by AFP server is set to returning the owner 
id for files or folders. AFP server does not calculate group and other rights for files and folders 
when Rights is set to No. In this case, AFP server returns default server id 0 (that is mapped to the 
username Roof) for group and other rights. 


* By setting Rights parameter to Default, AFP server turns off rights calculations for all the rights. 
AFP server returns AFP server id in this case which is set to 0 for owner, group, and other rights. 
This is because, after setting Rights configuration option to default, no rights calculations is 
performed for files and folders. Setting this option results in improved performance (compared 
to when Rights option is set to All) when files and folders have large number of trustees which 
requires more processing for calculating group rights. 


+ Bysetting Rights parameter to All, AFP server returns correct owner id that is set on a file/folder. 
For other IDs, AFP server finds the group or user trustee which has maximum rights on the file/ 
folder. This group or user is then returned to other ID parameter when Rights option is set to All. 
For finding a group or user name with maximum rights, AFP server scans all the trustees 
assigned to a file/folder. This calculation takes more time when trustees assigned to a file/folder 
are large in numbers. 


Configuring Volume Details 


The logical volumes you create on NSS storage pools are called NSS volumes. 


Novell AFP supports only Novell Storage Services (NSS) volumes. NSS storage object names are case 
insensitive. Names such as AURORA, Aurora, and aurora are the same. Since NSS volume names are 
case insensitive, volumes which can be exported from AFP are also case insensitive. 


NSS volumes are identified by the machine name and volume name combination. For instance, if you 
create a volume titled AFP. Volume on a server named ACME, the volume name is represented as 
ACME.AFP Volume. The Volume Name Management feature helps you specify an alternate name for 
the NSS volume. For instance, you can represent ACME.AFP Volume as AFP Volume. This is 
mandatory in a cluster setup where you need to identify volumes without the machine name prefix. 


Renaming of AFP server volumes in afpvols.conf file is required when using NCS clustered volumes. 


The AFP volume share name supports all ASCII characters except NULL, colon(:), and forward 
slash(/). 
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5.3.2 


IMPORTANT: Do not edit the a£pvols.conf file for a volume that is already mounted and is 
already in use (mounted on AFP clients). However, if there is a need to modify the file, restart the 
server after modification instead of reloading it. This lets the volumes mounted on clients have a 
clean unmount. Using the reload option for modification leads to irrecoverable issues and should be 
avoided. 


Dynamic Detection of Volumes: The AFP server now dynamically detects adding/mounting a new 
NSS volume and deleting/unmounting an existing NSS volume. The AFP server updates itself with 
the current set of volumes on the OES 2 SP3 server. An explicit reload of the server is not required. 


NOTE: The dynamic detection is applicable to standalone servers as well as cluster nodes. 


Use the following tasks to administer AFP volume names: 


+ Section 5.3.1, “Adding a New Volume Name,” on page 29 
+ Section 5.3.2, “Editing an Existing Volume Name,” on page 29 
+ Section 5.3.3, “Deleting a Volume Name,” on page 30 


+ Section 5.3.4, “Resetting the Desktop,” on page 30 


Adding a New Volume Name 


1 Start your browser (Internet Explorer 5 or later, Firefox, etc.) and specify the URL for iManager. 


The URL is https:// server. ip address/nps/imanager.html. Replace server ip address with the IP 
address or DNS name of the Linux server running AFP. 


Enter your username and password. 
In the left column, select File Protocols, then click AFP. 


Browse and select the AFP server that you want to administer. 


ao BB WN 


Select the Volume tab. Click the Object Selector button, then select the server for which you want to 
specify new volume names. 


Select Add. This opens the Add New Volume dialog box. 


7 Click the Object Selector button, then select an existing volume. If you want to see the volumes 
you selected earlier, click the Object History icon. 


o 


8 (Optional) Specify a name for the selected NSS volume. This alters the volume name visible to 
the AFP clients. 


9 Click OK to save the changes. 


NOTE: Volumes renamed through Adding a New Volume Name are updated in the afpvols . cont file. 


Editing an Existing Volume Name 


1 Start your browser (Internet Explorer 5 or later, Firefox, etc.) and specify the URL for iManager. 


The URL is https:// server. ip address/nps/imanager.html. Replace server. ip address with the IP 
address or DNS name of the Linux server running AFP. 


2 Enter your username and password. 
3 In the left column, select File Protocols, then click AFP. 


4 Browse and select the AFP server that you want to administer. 
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Select the Volume tab, then use the Object Selector button to select the server for which you want 
to specify new volume names. 


The volumes created on the server are displayed. 


Select the volume you want to modify and click Edit. 


7 (Optional) Specify a new name for the shared volume. This changes the volume name visible to 


the AFP clients. 
Click OK. 


5.3.3 Deleting a Volume Name 


1 


ao Aà © N 


Start your browser (Internet Explorer 5 or later, Firefox, etc.) and specify the URL for iManager. 


The URL is https:// server. ip address/nps/imanager.html. Replace server ip address with the IP 
address or DNS name of the Linux server running AFP. 


Enter your username and password. 

In the left column, select File Protocols, then click AFP. 

Browse and select the AFP server that you want to administer. 

Select the Volume tab. Use the Object Selector to select the server you want to modify. 
The volumes created on the server are displayed. 

Select the volume name you want to remove and click Delete. 

Click OK. 


5.3.4 Resetting the Desktop 


5.4 


1 


dB O N 


Start your browser (Internet Explorer 5 or later, Firefox, etc.) and specify the URL for iManager. 


The URL is https:// server. ip address/nps/imanager.html. Replace server ip address with the IP 
address or DNS name of the Linux server running AFP. 


Enter your username and password. 

In the left column, select File Protocols, then click AFP. 

Browse and select the AFP server that you want to administer. 

Select the Volume tab. Use the Object Selector to select the server you want to modify. 
The volumes created on the server are displayed. 


Select the volume for which you want to reset the desktop, then click the Reset Desktop option. 


Configuring Context Details 


Context defines the position of an object within the Directory tree structure. It is a list of container 
objects leading from the object to the root of the tree. 


Specifying the context preempts the need to specify the FODN (fully qualified distinguished name) 
of the user. 
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A context search file allows Macintosh users to log in to the network without specifying their full 
context. When the Macintosh user enters a username, the server searches through each context in the 
list until it finds the correct user object. 

* Section 5.4.1, "Adding a New Context,” on page 31 


+ Section 5.42, "Removing an Existing Context," on page 31 


5.4.1 Adding a New Context 


1 Start your browser (Internet Explorer 5 or later, Firefox, etc.) and specify the URL for iManager. 


The URL is https:// server. ip address/nps/imanager.html. Replace server. ip address with the IP 
address or DNS name of the Linux server running AFP. 


Enter your username and password. 

In the left column, select File Protocols, then click AFP. 

Browse and select the AFP server that you want to administer. 

Select the Contexts tab. The contexts created on the server are displayed 
Click Add. This opens the Add New Context dialog box. 

Specify a context name or browse to select an existing context. 


Click OK to save the changes. 


0 M OO 5 CO NM 


5.4.2 Removing an Existing Context 


1 Start your browser (Internet Explorer 5 or later, Firefox, etc.) and specify the URL for iManager. 


The URL is https:// server. ip address/nps/imanager.html. Replace server ip address with the IP 
address or DNS name of the Linux server running AFP. 


Enter your username and password. 
In the left column, select File Protocols, then click AFP. 
Browse and select the AFP server that you want to administer. 


Select the Contexts tab. The contexts created on the server are displayed. 


o 0d fF © NM 


Select the context you want to delete. 
To remove all of the contexts in the list, click the top-level check box, then click Delete. 


To remove one or more contexts, click the check boxes next to them, then click Delete. 
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Migrating AFP from NetWare to OES 2 
SP3 Linux 


The Open Enterprise Server (OES) 2 SP3 Migration Tool has a plug-in architecture and is made up of 
Linux command line utilities with a GUI wrapper. You can migrate AFP to OES 2 SP3 through the 
GUI Migration Tool or through the command line utilities. 


To get started with migration, see “Overview of the Migration Tools” in the OES 2 SP3: Migration Tool 
Administration Guide. 


For more information on migrating AFP, see “Migrating AFP from NetWare to OES 2 SP3 Linux "in 
the OES 2 SP3: Migration Tool Administration Guide. 


Migrating AFP from NetWare to OES 2 SP3 Linux 33 


34 OES 2 SP3: Novell AFP For Linux Administration Guide 


Running AFP in a Virtualized 
Environment 


AFP services run in a virtualized environment just as they do on a physical NetWare server, or on a 
physical server running Open Enterprise Server (OES) 2 SP3 Linux, and require no special 
configuration or other changes. 


To get started with virtualization, see “Introduction to Xen Virtualization (http://www.novell.com/ 
documentation/sles10/xen admin/data/sec xen basics.html)" in the Virtualization with Xen (http:// 
www.novell.com/documentation/sles10/xen_admin/data/bookinfo.html) guide. 
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8.1 


8.2 


Configuring AFP with Novell Cluster 
Services for an NSS File System 


Novell Apple Filing Protocol can be used in a cluster environment with Novell Cluster Services on 
your Novell Open Enterprise Server (OES) 2 SP3. 

+ Section 8.1, "Benefits of Configuring AFP for High Availability," on page 37 

* Section 82, "Volumes in a Cluster," on page 37 


* Section 8.3, "Configuring AFP in a Cluster," on page 38 


Benefits of Configuring AFP for High Availability 


When you configure AFP in an OES 2 SP3 cluster, resources can be dynamically switched or moved 
to any server in the cluster. Resources can be configured to automatically switch or be moved in the 
event of a server failure, or they can be moved manually to troubleshoot hardware or balance the 
workload. 


An equally important benefit of implementing AFP in a cluster setup is that you can reduce 
unplanned service outages as well as planned outages for software and hardware maintenance and 
upgrades. 


Before you attempt to implement this solution, familiarize yourself with how Cluster Services works. 
For information, see the OES 2 SP3: Novell Cluster Services 1.8.8 Administration Guide for Linux 


Volumes in a Cluster 


In a cluster setup, when a Macintosh client connects to the physical IP of the AFP server, both the 
local volumes as well as cluster enabled shared volumes are exported to the client. 


However, if the client connects to the cluster/virtual IP, then only the cluster enabled shared volumes 
associated with the cluster IP are exported. 


For example: 


Consider a cluster setup with two AFP servers running on nodes A & B. If the cluster resource is 
bound to A, a MAC client connecting to the physical IP of A can access both the local and the cluster 
enabled shared volumes. 


If the client connects to the physical IP of B, then only local volumes on B are exported since the 
cluster resource is now on A. However, due to migration or failover, if the cluster resource is moves 
to B, then clients connecting to B can see both local and shared volumes. 
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NSS volumes are identified by the machine name and volume name combination. For instance, if you 
create a volume titled AFP_Volume on a server named ACME, the volume is represented as 
ACME.AFP_Volume. The Volume Name Management feature helps you specify an alternate name 
for the NSS volume. For instance, you can rename ACME.AFP. Volume to AFP Volume. This is 
mandatory in a cluster setup where you need to identify volumes without the machine name prefix 


+ Section 8.2.1, “Volume Name Management in a Cluster,” on page 38 


8.2.1 Volume Name Management in a Cluster 


Volume management is done in two ways in a cluster: 


+ Using iManager AFP Management Plugin: 


+ The iManager AFP Management Plugin requires a volume to be locally mounted on the 
cluster node before adding it to the AFP configuration. Hence migrate the volume resource 
to each node and use iManager AFP Management Plugin to add the volume to the AFP 
configuration. 


+ Bv editing /etc/opt/novell/afptcpd/afpvols.conf on each cluster node. This is done 
without migrating the resource to each node. Enter the following syntax: 
ServerName.VolumeName VolumeName 


Where ServerName is the host name of the local cluster node and VolumeName is the name of 
the shared, cluster-enabled volume. 


Here is an example that illustrates how cluster nodes map to sharedvolumes. 


# Example 3: Renaming cluster volumes 
# afpvols.conf for serverA: 

T 

# serverA.voll sharedVol1 

# serverA.vol2 sharedVol2 

# 

# afpvols.conf for serverB: 

fli 

# serverB.voll sharedVol1 

# serverB.vol2 sharedVol2 


8.3 Configuring AFP in a Cluster 


Configuring or enabling AFP and making it available in a cluster environment requires you to 
perform the following tasks: 


* Section 8.3.1, "Identifying the Nodes to Host the AFP Service," on page 38 
* Section 8.3.2, "Installing Novell Cluster Services," on page 39 

+ Section 8.3.3, "Creating Shared NSS Pools," on page 39 

* Section 8.3.4, "Reviewing Load and Unload Scripts," on page 40 


8.3.1 Identifying the Nodes to Host the AFP Service 


1 Install the AFP server on all the nodes in cluster or on the nodes identified for running AFP. For 
instructions on installing, see Chapter 4, "Installing and Setting Up AFB” on page 17. 


2 Restart the AFP server. 


3 Continue with Section 8.3.2, "Installing Novell Cluster Services," on page 39. 
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8.3.2 


8.3.3 


Installing Novell Cluster Services 


1 Install Novell Cluster Services 1.8.8 on the OES 2 SP3. For details, see “Installing and 
Configuring Novell Cluster Services on OES 2 Linux”. 


2 When you have finished installing Novell Cluster Services, continue with Section 8.3.3, 
“Creating Shared NSS Pools,' on page 39. 


Creating Shared NSS Pools 


You can create a pool by using iManager or the NSSMU utility. The shared partition is automatically 


created when vou create the pool. 


* "Creating Shared Disk Partitions and Pools through iManager" on page 39 
+ "Creating Shared Disk Partitions and Pools through NSSMU” on page 39 


Creating Shared Disk Partitions and Pools through iManager 


1 Open an Internet browser and enter the URL for iManager. 


The URL is https:// server. ip address/nps/imanager.html. Replace server ip address with the IP 


address or DNS name of the Linux server running AFP. 
2 Enter your username and password. 
3 In the left pane, locate and select the Storage > Pools task. 


4 Specify a cluster server name or browse and select one, then click New. 


New Pool 


Enter a name 


Pool names can have 2 to 15 characters and contain characters A toZ, 0 to 9,  , !, @, f, $, 96, &, (, and 
). Names cannot begin or end with the _ (underscore) character, nor contain — (multiple underscores) 
Name: 


[AFP POOL 1 
«« Back Next >> Cancel 


5 Specify the new pool name and click Next. 
6 Allocate the size of the pool and click Next. 


7 Specify an IP address for the virtual server. 


Make sure you select AFP as the advertising protocol. You should also make sure that NCP is 


selected. NCP is essential to activate the NCP protocol on the cluster. 
8 Click Finish to complete configuration of the pool. 
9 Continue with "Reviewing Load and Unload Scripts" on page 40. 


Creating Shared Disk Partitions and Pools through NSSMU 


1 From the NSSMU main menu, select Pools. 
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Terminal 


Eile Edit View Terminal Tabs Help 


Terminal 


2 Select the device where you want the pool to be created. 
3 Specify the name of the pool and the IP address of the virtual server. 


Make sure you select AFP as the advertising protocol. You should also make sure that NCP is 
selected. NCP is essential to activate the NCP protocol on the cluster. 


4 Click Apply to complete configuration of the pool. 
5 Continue with Section 8.3.4, “Reviewing Load and Unload Scripts,” on page 40. 


8.3.4 Reviewing Load and Unload Scripts 


Cluster resource load and unload scripts are automatically generated for pools when they are cluster- 
enabled. You can review the load and unload scripts for the AFP cluster by using the following 
procedure: 

1 Open an Internet browser and enter the URL for iManager. 


The URL is https:// server ip address/nps/imanager.html. Replace server ip address with the IP 
address or DNS name of the Linux server running AFP. 


2 Enter your username and password. 
3 In the left pane, locate and select the Cluster > Cluster Manager task. 


4 Select the cluster resource and click the Scripts tab. The Load and Unload scripts are displayed. 
Ensure that your load and unload scripts are similiar to the following examples: 
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Load Script 


H!/bin/bash 


/opt/novell/ncs/lib/ncsfuncs 


exit on error 
exit on error 
exit on error 
exit on error 
exit on error 


ipaddress-192. 


exit on error 
exit 0 


Unload Script 


#!/bin/bash 


nss /poolact=POOL1 

ncpcon mount VOL2-253 

ncpcon mount VOL1-254 

add secondary ipaddress 192.168.0.0 

ncpcon bind --ncpservername-CLUSTER1 POOL1 SERVER -- 
168.0.0 

cluster afp.sh add CLUSTER1 POOL1 SERVER 192.168.0.0 


/opt/novell/ncs/lib/ncsfuncs 
ignore error cluster afp.sh del CLUSTER1 POOL1 SERVER 192.168.0.0 
ignore error ncpcon unbind --ncpservername-CLUSTER1 POOLI SERVER -- 


ipaddress-192. 


168.0.0 


ignore error del secondary ipaddress 192.168.0.0 
ignore error nss /pooldeact=POOL1 


exit 0 
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9.1 


9.1.1 


Working with Macintosh Computers 


This section contains the following information: 


* Section 9.1, "Administrator Tasks for Macintosh," on page 43 


* Section 92, "Macintosh End User Tasks," on page 45 


Administrator Tasks for Macintosh 


This section provides several ways to simplify your administration tasks and customize how 
Macintosh workstations interact with the network. 

+ Section 9.1.1, "Configuring a Guest User Account,” on page 43 

* Section 9.1.2, "Editing the Volume File," on page 44 

* Section 9.1.3, "Editing the Context Search File," on page 44 

* Section 9.1.4, "Editing the Configuration File," on page 44 


Configuring a Guest User Account 


AFP lets you configure a guest user account through iManager. 
1 In Novell iManager, click the Roles and Tasks button. For more information see, Novell iManager 
2.7.4 Administration Guide. 
Click Users » Create User. 
Specify a username and a last name for the user. 


Specify the context for the user. 


0 Aà WN 


Click OK to save the changes. 
The guest user is now created. 


6 After creation of the guest user, query for the user by using the User > Modify User task in 
iManager. 


7 Remove the ability for the user to change the password by clicking Restrictions, then deselect 
Allow User to Change Password. 


8 Enable the Guest account by adding the full eDirectory context of the Guest object to the context 
search file as described in “Editing the Context Search File” on page 44. 


9 Reload the AFP server to make the Guest button available on the login screen. 


To reload the AFP server through iManager, see Section 5.1, “Selecting a Server to Manage,” on 
page 23. 
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9,1.2 


9.1.3 


9.1.4 


Editing the Volume File 


Information about volumes is stored in the /etc/opt/novell/afptcpd/afpvols.conf file. 
To edit the afpvols.conf file and store volume information: 


1 Use a text editor to open the afpvols .conf file. 

2 On separate lines, enter the current name of the volume and the new name of the volume, 
separated by a space. For example: 
serverl.sys System Volume 


serverl.img Graphics 


3 Unload and reload the AFP server by using the rcnovell-afptcpd reload command, or use 
iManager to reload the server. 


Editing the Context Search File 


A context search file allows Macintosh users to log in to the network without specifying their full 
context. The context search file contains a list of contexts that are searched when no context is 
provided or the object cannot be found in the provided context. When the Macintosh user enters a 
username, the server searches through each context in the list until it finds the correct user object. 


Macintosh allows only 31 characters for the username. If the full eDirectory context and username are 
longer than 31 characters, you must use a search list to provide access. 


If User objects with the same name exist in different contexts, the first one in the context search list is 
used. 


To edit the context search file: 


1 Using any text editor, edit the afpdirctx.conf file stored inthe /etc/opt/novell/afptcpd/ 
directory of the AFP server. 
2 On separate lines, enter the contexts to search. 


For example, if you had users with full eDirectory distinguished names such as 
Robert.sales.acme, Maria.graphics.marketing.acme, Sophia.graphics.marketing, and 
Ivan.marketing.acme, then enter the following contexts in the a£pdirctx.conf file: 


ou=sales.o=acme 
ou=graphics.ou=marketing.o=acme 
ou=marketing.o=acme 


3 After you have made the changes, save the file. 


When a Macintosh user logs in with a username and password, the system finds the context 
corresponding to the user object in the afpdirctx.conf file. 


Editing the Configuration File 


The AFP server configuration parameters are stored in the /etc/opt /novell/afptcpd/ 
afptcp.conf file. After you install AFP Server, this configuration file has all the parameters, 
commented with their default values. 


Your configuration file resembles the following example: 


# Authentication module to use. 
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# It is advisable not to use - cleartext - as the option # for this. The possible 
options currently are: # cleartext, random (random key exchange), two-way (two way 
random # key exchange) ,DHX (Diffie-Hellman exchange 2). 

# 

# AUTH UAM <name> 

AUTH UAM DHX 

# 

# Minimum Number of threads that the daemon must always 

# have waiting for work, notwithstanding the complimentary 

# parameter - Maximum Number of threads (described next) 


# This can not be more than MAX THREADS parameter. 


# 


# MIN THREADS <num># 


MIN THREADS 3 


9.2 Macintosh End User Tasks 


When the Novell Apple Filing Protocol (AFP) is properly configured, the Macintosh users on your 
network can perform the following tasks: 

* Section 92.1, "Accessing Network Files," on page 45 

+ Section 9.2.2, "Logging In to the Network As a Guest," on page 46 

+ Section 9.2.3, "Changing Passwords from a Macintosh Computer," on page 46 


* Section 9.2.4, "Assigning Rights and Sharing Files from a Macintosh Computer," on page 46 


9.2.1 Accessing Network Files 


Macintosh users can use the Chooser option to access files and directories. 


1 In Macintosh OS 9, click the Apple menu > Chooser > AppleTalk > Server IP Address. 
or 
In Macintosh OS X, click Go » Connect to Server. 
2 Specify the IP address or DNS name of the OES 2 SP3 server, then click Connect. 
3 Specify the username and password, then click Connect. 
4 Select a volume to be mounted on the desktop. 


Although you now have access to the files, mounting the volume to the desktop does not make it 
available after rebooting. You need to create an alias to make it available after rebooting. 


5 (Optional) Create an alias to the desired volume or directory: 
5a Click the Linux server icon. 
5b Click File > Make Alias. 


The alias icon appears on the desktop. 
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9.2.2 Logging In to the Network As a Guest 


If the network administrator has set up the Guest User object account as described in "Configuring a 
Guest User Account" on page 43, Macintosh users can log in to the network as a Guest. 


1 In Macintosh OS 9, click the Apple menu > Chooser > AppleTalk > Server IP Address. 
or 
In Macintosh OS X, click Go > Connect to Server. 

2 Type the IP address or DNS name of the Linux server, then click Connect. 

3 Click Guest Login > Connect. 


The Guest user has rights to access network resources as configured by the network administrator. 


9.2.3 Changing Passwords from a Macintosh Computer 


Macintosh users can change their passwords. When they change the simple password, the eDirectory 
password is automatically synchronized. 


1 In Macintosh OS 9, click the Apple menu > Chooser > AppleTalk > Server IP Address. 
or 
In Macintosh OS X, click Go > Connect to Server. 

2 Type the IP address or DNS name of the Linux server, then click Connect. 

3 Specify the username. 

4 Click Change Password. 

5 Type the old password and the new password, then click OK. 


9.2.44 Assigning Rights and Sharing Files from a Macintosh Computer 


Although using iManager is the recommended method for managing rights, Macintosh users have 
some file sharing and management capability through Chooser. 


+ “NSS Rights versus Macintosh Rights" on page 46 
* "Owner Rights" on page 47 

* "User / Group" on page 48 

* "Everyone" on page 48 


NSS Rights versus Macintosh Rights 


Using Chooser/Finder to access network files and folders is fairly consistent with the Macintosh 
environment, but there are some differences between NSS and Macintosh file sharing. Macintosh 
users can view the sharing information about specific folders by clicking Get Info/Sharing. 


* "Inherited Rights and Explicit Rights" on page 47 
* "Owner, User/Group, and Everyone Rights" on page 47 
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Inherited Rights and Explicit Rights 


The Macintosh file system uses either inherited rights (which use the enclosing folder's privileges) or 
explicit rights (which assign rights to a group or user). A folder in the Macintosh file system cannot 
have both inherited and explicit rights. 


NSS uses both inherited and explicit rights to determine the actual rights that a user has. NSS allows 
a folder (or directorv) to hold file rights for multiple groups and users. Because of these differences, 
Macintosh users will find that access rights to folders and files might function differently than 
expected. 


NSS uses inherited rights, so the Macintosh Use Enclosing Folder's Privileges option is automaticallv 
turned off. When a Macintosh user views the Get Info/Sharing dialog box for a NSS folder, only the 
User/Group assignments are visible if there is an explicit assignment on the folder. If the NSS folder 
inherits User/Group rights from a parent group or container, those rights are not displaved in the 
dialog box, nor is there anv indication that the folder is inheriting rights from a group or container. 


Owner, User/Group, and Evervone Rights 


Because NSS allows multiple groups and users to have rights to a single folder, users are not able to 
delete rights assignments bv using the Apple Macintosh interface. Users can add assignments to 
allow basic file sharing, but more complex rights administration must be done through iManager. 
When specifving Owners, Users, and Groups, there is no wav to select from current groups. Xou 
must specifv the correct Linux name and context (fullv distinguished eDirectorv name). 


TIP: No context is required if the context is specified in the context search file. 


Owner Rights 


In the Apple File Sharing environment, an owner is a user who can change access rights. In the NSS 
environment, users can change access rights if thev have been granted the Access Control right for 
the folder. In NSS, an owner means the user who created the file. An NSS owner has no rights bv 
virtue of ownership. In the NSS environment, the owner is the current user if he has access control 
rights to the folder. 


If the user has access control rights, then it is shown as the owner of the file. If the user does not have 
access control rights, the actual NSS owner is shown as the owner. However, for directories the NSS 
owner is alwavs displaved. 


In Apple File Sharing, there can be more than one owner. If vou change the owner, access control 
rights are added to the new owner, but are not removed from the current owner. In NSS, there are 
two ways to have access control rights: 1) have the Access Control rights and 2) have the Supervisor 
rights. Adding a new owner only adds the Access Control right, not the Supervisor right. If the 
current owner alreadv has the Supervisor right through other management utilities, that right 
remains. The Supervisor right also gives full file access rights. This means that if vou are the current 
user and have the Supervisor right, vou also have read/write access and vou cannot change those 
rights. 


Display only allows for one owner. If multiple users have file access rights, only the current user is 
shown in the Owner field. 
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User / Group 


Only one user or group can be displayed for a folder, although NetWare allows multiple users and 
groups to be assigned file access rights. 


If both users and groups have access to an NSS folder, groups are displayed before users. The group 
with the most access rights is preferred over groups with fewer access rights. Only users or groups 
with explicit rights (not inherited rights) are shown in the User/Group field. Users and groups with 
inherited rights are not shown in the dialog box, nor is there any indication that there are users and 
groups with inherited rights. 


Rights set through this interface are inherited by the folder's subfolders. It is impossible to manage all 
inherited rights from the Macintosh interface. (Although it is not recommended, you could set the 
inherited rights filters from the management utilities to turn off inherited rights.) 


Everyone 


Assigning rights to Evervone acts like the Macintosh user expects, with the exception that Evervone's 
rights are inherited. In NetWare, the object that represents the rights of any authenticated user is used 
to set Everyone's rights. Everyone's rights can change from folder to folder, but when they are set, 
they are inherited by subfolders. 
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10.1 


10.2 


10.3 


Monitoring the AFP Server 


The AFP server provides a monitoring feature for you to use. 


+ Section 10.1, “Understanding the Monitoring Process,” on page 49 
+ Section 10.2, 'Enabling Monitoring,” on page 49 
+ Section 10.3, 'Viewing Logs through iManager,' on page 49 


+ Section 104, "Understanding Performance Parameters," on page 50 


Understanding the Monitoring Process 


The monitoring framework helps you assess the performance of the AFP server. The details provided 
by the AFP server logs are beneficial if you want to tune the performance of the server based on your 
needs.This framework records the following runtime information: 

* Number of active threads in the AFP server 

* Load capacity of the AFP server 

* Query processing ability 


+ AFP server efficiency ratio 


Enabling Monitoring 


You enable monitoring through the command line interface by using the following command: 


afpstat 


Viewing Logs through iManager 


1 IniManager, use one of the following methods to select a server in the tree where you are logged 
in: 


* In the Server field, type the Novell eDirectory distinguished server name for the server you 
want to manage, then press the Tab key or click somewhere on the page outside of the 
Server field to enter your selection. For example: 


afpserver.novell 


* Click the Search icon to open the eDirectory Object Selector. Browse or search the list to 
locate the server you want to manage, then click the server name. 


* Click the Object History icon to select a server you have recently managed. 


Wait for iManager to retrieve information about that server and display the appropriate 
information to the task page you are in. 
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2 The status of the server is displayed in the status bar below the Server field. Click to view the 
log details. 


3 Select the General tab and scroll down to Version and Logging. 


4 Select the Enable Log option. This option turns the logging feature on and adds an entry to the log 
file. When logging is activated, AFP log and error messages are written to the /var/log/ 
afptcpd/afptcp.log file. 


If you want to record the status, debug, and error messages in the afptcp.10g file, ensure that the 
Enable Status, Enable Debug, and Enable Error options are selected. 
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When you click à, the AFP server statistics window is displayed with the following information: 


Table 10-1 AFP Server Performance Parameters 


Parameter Description 
Active Threads Indicates the number of threads that are presently active on the AFP server. 
Load Ratio Indicates the ratio of the total number of active threads to the total number of threads 


in the AFP server. 


Availability Indicates the ratio of the total number of events required for creation of a new thread 
compared to the number of events required to execute an AFP task. 


Efficiency Ratio The ratio of the total number of times that threads complete a task and then 
terminate themselves compared to the total number of times that threads complete a 
task. 


AFP always maintains a minimum number of threads in the pool. The minimum count 
of threads is set to 3 during installation, but you can modify it to increase the thread 
count in the pool. For more information on threads and connections, see Section 5.2, 
"Configuring General Parameters," on page 24. 


When the list of tasks to be executed by the AFP server is high and there are no idle 
threads in the thread pool, the AFP server creates a new pool of threads. After a 
thread finishes its assigned task, if it finds a minimum number of threads in the 
thread pool, the thread terminates itself. The AFP server maintains a record of such 
events. 


Connections Number of AFP client sessions that are currently connected to the AFP server. 
You can control the number of log entries shown at one time by specifying your preference in the 
corresponding text field. 


For example: If you want to view the last 10 log entries of the AFP server, specify 10 in the Latest Log 
Entries to display field. 
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11.1 


11.2 


11.2.1 


Auditing the AFP Server 


The AFP server provides a auditing feature for you to use. 


* Section 11.1, "Understanding the Auditing Process," on page 51 
* Section 112, "Enabling Auditing," on page 51 


* Section 113, "Viewing Auditing Information," on page 52 


Understanding the Auditing Process 


The auditing framework helps you to monitor the authentication process and track any changes that 
occur to the configuration parameters of the server. Details of any changes that occur are recorded in 
the /var/log/audit/audit .1log file. The audit daemon keeps track of the changes to the audit.1og 
file. 


Auditing is disabled by default in OES 2 SP3. 


However, if it is enabled, you can disable Audit configuration option in /etc/opt/novell/afptcpd/ 
afptcpd.conf file manually or through iManager. 


When the auditing option is enabled, the AFP server reports changes for the following events: 


* AFP user login and logout events 


* Changes to the configuration parameters of the following files: 


afptcpd.conf 
afpvols.conf 
afpdirctx.conf 


casaforafp.sh 


Enabling Auditing 
You can enable auditing either through the command line or through iManager. 


+ Section 112.1, "Command Line,” on page 51 


* Section 112.2, "iManager," on page 52 


Command Line 


To enable auditing support through command line, use the following command: 


afptcpd -a 
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11.2.2 


52 


11.3 


iManager 


1 IniManager, use one of the following methods to select a server in the tree where vou are logged 
in: 


+ In the Server field, type the Novell eDirectory distinguished server name for the server you 
want to manage, then press the Tab key or click somewhere on the page outside of the 
Server field to enter your selection. For example: 


afpserver.novell 


* Click the Search icon to open the eDirectory Object Selector. Browse or search the list to 
locate the server you want to manage, then click the server name. 


* Click the Object History icon to select a server you have recently managed. 


Wait for iManager to retrieve information about that server and display the appropriate 
information to the task page you are in. 


2 Select the General tab and scroll down to Version and Logging. 


3 Select the Auditing option. This checks on the authentication process and any changes that occur 
to the configuration parameters of the AFP server are logged in /var/log/audit/audit .log 
file. 


4 Click OK to save and apply the changes. 


IMPORTANT: When you manually make changes to the configuration parameters in the 
configuration files, the changes do not take effect until you restart the server. 


Viewing Auditing Information 


To view the audit logs, open the /var/log/audit/audit.log file in a text editor. 


Your log file resembles the following example: 


ERRATA DE DE DE DD DD D DD D DE SEE SE SE DE DE DD DD D DD D DE SEDE SE DEEE IDD A EE 


type=DAEMON START msg=audit (1185934048.314:4312) auditd start, ver-1.2.9, 
format-raw, auid=4294967295 pid-27992 res=success, auditd pid=2 


type=CONFIG CHANGE msg=audit (1185934048.418:4): audit enabled-0 old-0 by 
auid=4294967295 
type=CONFIG CHANGE msg=audit (1185934049.914:5): 


audit backlog limit-256 old-64 by auid-4294967295 
tvpe-DAEMON END msg-audit (1186036669.479:4313) auditd normal halt, sending auid-0 
pid-6208 subj-86036669.479:6): audit enabled-0 old-0 


tvpe-DAEMON START msg-audit (1186036762.687:1615) auditd start, ver-1.2.9, 
format-raw, auid-4294967295 pid-3020 res-success, auditd pid-30 


type=CONFIG CHANGE msg=audit (1186036762.784:4): audit enabled-0 old-0 by 
auid-4294967295 


SEE EEE ED DD D DD DD DD DE DE DE DE DD DD D DD D DE D DE DE DE D DE DD D DD D DE D DE DE DE DID A A 
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12.1 


12.1.1 


12.1.2 


Troubleshooting AFP 


This section describes some issues you might experience with the Novell Apple Filing Protocol (AFP) 
and provides suggestions for resolving or avoiding them. 

+ Section 12.1, “AFP Login Issues,” on page 53 

* Section 122, “Starting the AFP Server," on page 54 

* Section 123, "File Creation," on page 54 

* Section 124, "Displaying Volumes," on page 54 

* Section 12.5, "Log Messages," on page 55 

* Section 12.6, "AFP Server Responds Slowly," on page 55 


+ Section 12.7, "Operation fails when a Macintosh client mounts an NSS volume and tries to open 
certain files," on page 55 


+ Section 12.8, "Hardlinks are Broken When Files are Accessed from AFP Mount Point,” on 
page 56 


For additional troubleshooting information, see the Novell Support Web site (http:// 
support.novell.com) 


AFP Login Issues 


* Section 12.1.1, "Cannot See the Login Dialog Box," on page 53 


+ Section 12.1.2, "AFP User Login to a Macintosh 10.5 Client Fails With a Connection Failed Error,” 
on page 53 


+ Section 12.1.3, "Invalid Username and Password Error,” on page 54 


Cannot See the Login Dialog Box 


Cause: This error is displayed when the firewall is enabled on the AFP server. 


Action: To resolve this problem, use YaST to stop the firewall or set the firewall to allow connections 
from the client on TCP port 548. 


AFP User Login to a Macintosh 10.5 Client Fails With a Connection 
Failed Error 


Action: This problem can be resolved by assigning appropriate access rights to the AFP user. The 
AFP user needs access permission to at least one of the volumes exported from the AFP server to 
resolve this issue. 
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12.1.3 


12.2 


12.2.1 


12.3 


12.3.1 


12.4 


12.4.1 


Invalid Username and Password Error 


Action: If the credentials you have entered are correct, verify whether the afpdirext . conf file has 
the context information for AFP users.The AFP server requires valid context information to resolve 
the typeless name user login. 


Starting the AFP Server 


+ Section 12.2.1, “Starting the AFP Daemon Failed,” on page 54 


Starting the AFP Daemon Failed 


Action: If you are not able to start the AFP daemon, check the status of the xregd daemon and NSS 
daemon to see if it is running. To do this, execute the following commands at the prompt: 


rcnovell-xregd status 


If the daemon is not up, execute the renovell-xregd start command to start the daemon. 


File Creation 


+ Section 12.3.1, “Failure to Create a File on a Macintosh Client,” on page 54 


Failure to Create a File on a Macintosh Client 


Cause: This error is displayed when the server volume quota has exceeded its limits and a partially 
created file cannot be deleted. 


Action: To resolve this problem, terminate the AFP client by unmounting the volume where the 
partial file resides. 


Displaying Volumes 


+ Section 124.1, "Volumes Tab on a Macintosh 10.4 Client Displays an Empty Volume List,” on 
page 54 


Volumes Tab on a Macintosh 10.4 Client Displays an Empty Volume 
List 
Action: This problem can be resolved by assigning appropriate access rights to the AFP user. The 


AFP user needs access permission to at least one of the volumes exported from the AFP server to 
resolve this issue. 
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12.5 Log Messages 


This section describes some commonly encountered log file messages and provides suggestions for 
resolving them. 


+ Section 12.5.1, “NWDSResolveName failed to resolve supplied name <user name>,” on page 55 
* Section 12.52, "zOpen on volume «VOLUME NAME: failed,” on page 55 
+ Section 12.5.3, “zAFPCountByScanDir: scandir failed,” on page 55 


125.1 NWDSResolveName failed to resolve supplied name «user name> 


Cause: During login, the AFP server requires an eDirectory context to build an FODN for the 
username. This error message is logged when there is no matching context for the username. 


Action: To resolve this error, review the eDirectory contexts, using the details in "Configuring 
Context Details" on page 30. 


12.5.2  zOpen on volume «VOLUME NAME? failed 


Cause: This error message is seen when you attempt to log in to a Macintosh 10.5 machine without 
appropriate rights to the volumes. 


Action: To resolve this error, use iManager to set rights for the volumes. 


125.3 zAFPCountByScanDir: scandir failed 


Cause: This error occurs if the number of open files limit exceeds the ulimit maximum for open files. 


Action: To resolve this error, either increase the ulimit for open files (using command ulimit -n 
<value>) or close some of the open files ensuring that the number of open files does not exceed the 
ulimit value. 


12.6 AFP Server Responds Slowly 


Cause: This issue occurs in certain scenarios where the number of trustees on files / directories are 
high. This happens because the AFP server attempts to retrieve the rights of each trustee on the file / 
folder and return the trustee with the maximum rights as the owner / group of the file / folder. 


Action: To disable this, go to the General tab of iManager AFP plug-in and update the Sharing rights 
to NO. 


12.7 Operation fails when a Macintosh client mounts an NSS 
volume and tries to open certain files 


Cause: Macintosh stores metadata in certain files beginning with a dot character. These files exist on 
MAC volumes but are not stored on NSS. 


Action: The error log message for these files can be ignored. 
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12.8 Hardlinks are Broken When Files are Accessed from AFP 
Mount Point 


Macintosh specifications does not support this action. 
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Security Guidelines for AFP 


This section describes security issues and recommendations for the Novell Apple Filing Protocol 
(AFP) for a Novell Open Enterprise Server 2 SP3. It is intended for security administrators or anyone 
who is using AFP for Linux and is responsible for the security of the system. It requires a basic 
understanding of AFP protocol. It also requires the organizational authorization and the 
administrative rights to carry out the configuration recommendations. 

+ Section 13.1, “Recommended Authentication Protocol,” on page 57 

+ Section 13.2, "Storing Credentials," on page 57 

* Section 13.3, "Intruder Detection," on page 57 

+ Section 13.4, “Rights for the Common Proxy User,” on page 57 


+ Section 13.5, “Timeout Values,' on page 58 


13.1 Recommended Authentication Protocol 


The recommended protocol for authentication is Diffie Hellman (DHX). It provides a secure way to 
transport clear-text passwords of up to 64 characters to the server for further processing. 


Other authentication modes like Cleartext, Random Number Exchange, and the Two-Way Random 
Key Exchange protocol support only 8-character passwords. With these modes, if the eDirectory 
password is longer than 8 characters, any attempt to log in results in failure. 


13.2 Storing Credentials 


We recommend that you specify CASA as the credential storage location during configuration of 
the AFP service. This ensures that your credentials are safe. 


13.3 Intruder Detection 


Intruder Detection limits the number of unsuccessful login attempts. The AFP server does not 
support intruder detection, so if the AFP user does not log in successfully, the user is not locked out 
even if you have set intruder detection to ON in NMAS. 


13.4 Rights for the Common Proxy User 


By default, the AFP proxy user does not have permission to read the passwords for users of a 
password policy. The AFP user can log in to the AFP server only when the AFP proxy user is granted 
rights to read the password in the password policy. 
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13.5 Timeout Values 


The timeout values for the AFP server range from 2 minutes to 24 hours. The default timeout value is 
24 hours. This default value can be reconfigured by setting the RECONNECT PERIOD value in the 
afptcpd.conf file or by setting the Reconnect period option through iManager. 


For more information on how to set the reconnect period value through iManager, see "Threads and 
Connections" on page 25. 


To configure this value through CLI, start the AFP daemon by using - r option. For example: 
afptcpd -r «reconnect period» OR afptcpd --reconnect-period -«reconnect period» 
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A.1 


A.2 


A.3 


Command Line Utilities for AFP 


This section details the syntax and options for the following Novell Apple Filing Protocol (AFP) 


utilities for Novell Open Enterprise Server 2 SP3 Linux. 


+ Section A.1, “afpdtreset,” on page 59 
* Section A.2, “afpstat,” on page 59 

+ Section A.3, "afptcpd," on page 59 

+ Section A 4, “afpbind,” on page 60 

* Section A.5, “afpnames,” on page 60 


+ Section A.6, “migafp,” on page 60 


afpdtreset 


Resets the desktop database on a volume. 


Syntax 


afpdtreset 


afpstat 


Displays statistics for the afp daemon. 
Syntax 
afpstat 


afptcpd 


The daemon for the Novell AFP server. 


Syntax 


afptcpd [options <parameters>] 
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A4 


A.5 


A.6 


afpbind 


Allows cluster pool names and virtual IP addresses to be advertised through the AFP server. 


Svntax 
afpbind [add] «cluster pool name» «virtual IP address» 


afpbind [del] «cluster pool name» «virtual IP address» 


afpnames 


This command notifies the AFP server to operate a particular volume or all volumes in case\- 
sensitive or case \ -insensitive model &. By default new volumes or existing volumes operate in case\- 
sensitive model &. 


Syntax 


afpnames <case-sensitive | case-insensitive» «all | volume-name> 


migafp 


Migrates the AFP service from NetWare to a OES2 SP3 system. 


Syntax 


migafp -s «IP address of the source server» -u «DN of the source server admin» -w «Password for the source 
server admin» -h<Prints summary of the migration process? 


for migafp 


migafp -s 10.10.10.1 -u cn=sourceadmin.o=novell -w password 
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Comparing AFP on NetWare and 


AFP on Linux 


This section compares features and capabilities of Novell Apple Filing Protocol on the NetWare and 


Linux platforms for Novell Open 


Feature Description 


Administering 


File Names and Paths 


Installation 


Enterprise Server 2 SP3 servers. 


AFP for NetWare 


Limited to starting and stopping the 
server. 


See "Enabling and Disabling AFP" 
in the NW 6.5 SP8: AFP, CIFS, and 
NFS (NFAP) Administration Guide 


sys:\etc\ctxs.cfg 
sys: \etc\afpvol.cfg 


sys: \etc\afptcp.log 


Customized installation during 
installation of NetWare 6.5. 


See, 'Installing Novell Native File 
Access Protocols on a NetWare 6.5 
Server” in the NW 6.5 SP8: AFP, 
CIFS, and NFS (NFAP) 


Administration Guide 


Simple Password support 
Universal Password 


Migration support 


Mac versions supported 


Cross-Protocol Locking 


Yes 
Yes. Limited to 8 characters. 


Not Applicable 


Classic Mac, Mac OS 10.3, 10.4, 
10.5, and 10.6 


Supported among AFP, CIFS, and 
NCP. 


AFP for Linux 


Ability to configure AFP server 
parameters through iManager. 


"Administering the AFP Server" on 
page 23 


/etc/opt/novell/afptcpd/ 
afpdircxt.conf 


/etc/opt/novell/afptcpd/ 
afpvols.conf 


/etc/opt/novell/afptcpd/ 
afptcpd.conf 


/ var/log/afptcpd/ 
afptcp.log 


Installation through YaST along with 
associated dependencies. 


"Installing and Setting Up AFP" on 
page 17 


No 
Yes. More than 8 characters. 


Support to migrate from NetWare to 
Linux. 


"Migrating AFP from NetWare to 
OES 2 SP3 Linux" on page 33 


Mac OS 10.3, 10.4, 10.5, and 10.6. 


Supported between AFP, CIFS, and 
NCP. 
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Feature Description 


Authentication Methods 


Dynamic detection of volumes 
Choosing volumes to be exported 
Bonjour Support 


Support for 64-bit architecture 


AFP for NetWare 


Cleartext 
Two-Way Random Key Exchange 


Random Exchange 


Yes 
Yes 
No 


No 
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AFP for Linux 


Cleartext 

Two-Way Random Key Exchange 
Random Exchange 

Diffie Hellman Exchange 

Yes 

Yes 

Yes 


Yes 


C Documentation Updates 


* Section C.1, "September 2011," on page 63 
* Section C2, "December 2010," on page 63 
+ Section C33, "November 2009,” on page 63 
+ Section C.4, "November 2008," on page 65 


C.1 September 2011 


* Updated the What's New chapter with details of August patch. 


C.2 December 2010 


* Updated the Section 4.1, "Installing AFP during the OES 2 SP3 Installation," on page 17 with the 
common proxy changes. 


* The following note is added in Section 4.1, "Installing AFP during the OES 2 SP3 Installation," 
on page 17: 


NOTE: Installing novell-afptcpd also installs Audit and starts auditd. 


* Updated the frontfile with version and date. 
* Updated the hyperlinks to the latest availability of documentation. 
* Added a note in Section 42, "Installing AFP after the OES 2 SP3 Installation," on page 20. 


* Added Section 4.3, "Installing AFP NMAS Methods," on page 21 in the Chapter 4, "Installing 
and Setting Up AFP” on page 17. 


+ Added Section 4.4.1, “Verifying LSM Installation," on page 22 in the Chapter 4, "Installing and 
Setting Up AFP/" on page 17. 


C.3 November 2009 


* The following is added in Section 5.2.4, "Other," on page 27: 


When OES2 SP1 AFP iManager plugin tries to manage a OES2 SP2 ATP server, configuration 
settings like CROSS PROTOCOL LOCKS, NO UNLOAD TIME, CHECK, 

NO COUNT ON OFFSPRING cannot be managed as these options are removed from OES2 
SP2 AFP Server. Similarly, the new settings GUEST USER and EXPORT ALL VOLUMES added 
in OES2 SP2 AFP Server cannot be managed by OES2 SP1 AFP iManager plugin. 
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Specifying alias names for volumes in afpvols.conf file is mandatory in OES2 SP1. However, 
it is optional in OES2 SP2. Hence when an OES2 SP1 AFP iManager plugin tries to use the 
volume management feature of an OES2 SP2 AFP Server, it is mandatory to specify the alias 
name for the volumes. 


+ Section 8.2.1, “Volume Name Management in a Cluster,” on page 38 is added to Chapter 8, 
“Configuring AFP with Novell Cluster Services for an NSS File System,” on page 37. 


* Section 12.6, "AFP Server Responds Slowly," on page 55 is added to Chapter 12, 
"Troubleshooting AFP” on page 53. 


¢ In Section 5.2.4, “Other,” on page 27, Off Spring Count and Cross Protocol information is 
removed. 


* Frontfile updated with the release date as November, 2009. 


* The Load and Unload scripts are revised in Chapter 8, "Configuring AFP with Novell Cluster 
Services for an NSS File System," on page 37. 


+ Section 12.5.3, “zAFPCountByScanDir: scandir failed," on page 55 is added in Chapter 12, 
“Troubleshooting AFP,” on page 53. 


* Section 33, "Antivirus Support," on page 15 is added. 


+ Section 5.2.5, "Rights to a File or Folder," on page 28 is added in the Chapter 5, "Administering 
the AFP Server," on page 23. 


+ The following content is included in the Chapter 4, "Installing and Setting Up AFP,” on page 17: 
The AFP Proxy user: 
* must be a member of the Universal Password policy. 
* must be added as a reader of passwords in that policy. 
* The following is included in the Chapter 5, "Administering the AFP Server," on page 23: 


* The AFP volume share name supports all ASCII characters except NULL, colon(:), and 
forward slash(/). 


+ AFP now supports Bonjour. A new screenshot and a writeup is included in the “Installing AFP 
during the OES 2 SP3 Installation" on page 17 in the Installing and Setting Up AFP chapter. 


* The following note is included in "Administering the AFP Server" on page 23: 


NOTE: Admin equivalent/container admin users should be LUM enabled to manage the AFP 
server through AFP iManager plugin. 


* Cross Protocol Lock and Export All Volumes are documented in the Section 5.2.4, "Other," on 
page 27 in the Administering the AFP Server chapter. 


+ An important note is included in the Section 5.3, "Configuring Volume Details,” on page 28 as 
follows: 


IMPORTANT: Do not edit the afpvols.conf file for a volume that is already mounted and are 
already in use (mounted on AFP clients). However, if there is a need to modify the file, only 
restart of the server is recommended. This lets the volumes mounted on clients to have a clean 
unmount. Using the reload option for modification leads to irrecoverable issues and is 
recommended to avoid. 


+ The following description is included in the Section 5.3, "Configuring Volume Details,” on 
page 28: 
Dynamic Detection of Volumes: AFP server now dynamically detects adding/mounting a new 
NSS volume and deleting/unmounting an existing NSS volume. The AFP server updates itself 
with the current set of volumes on the OES 2 SP2 server. An explicit reload of the server is not 
required. 
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NOTE: The dynamic detection is applicable to standalone servers as well as cluster nodes. 


¢ A note is included in Installing AFP during the OES 2 SP3 Installation section in Chapter 4, 
"Installing and Setting Up AFP,” on page 17 as follows: 


NOTE: AFP configuration fails when the container admin tries to add the proxy user as reader 
of passwords to the password policy. Configuration fails as the container admin does not have 
the write rights to the password policies in the security container. Provide the container admin 
create rights on the password policy container and rerun the configuration. 


C.4 November 2008 


+ All chapters and sections are new additions to OES 2 SP1 release. 
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